Security Experts:

PoS Flaws Allow Hackers to Steal Card Data, Change Prices

Point-of-sale (PoS) systems developed by SAP and other vendors have serious vulnerabilities that can be exploited by hackers to steal payment card data from the targeted organization’s network and change the price of items they want to purchase.

Researchers at ERPScan discovered that SAP’s POS product, which is part of the company’s SAP for Retail offering, was affected by several flaws. Specifically, the system’s server component, Xpress Server, lacked important authorization checks for critical functionality.

This allows an attacker with access to the system to send malicious configuration files to Xpress Server and gain complete control of both the frontend and backend of the PoS system.

A hacker can abuse tens of commands, allowing them to steal data from all the credit and debit cards used at the targeted store, and apply special prices and discounts to specified items. These discounts can be applied for specified times so that an item has a small price only when fraudsters go to purchase it. Fraudsters can also set up the system so that their purchases are charged to the previous customer’s card.

An attacker can also change the data displayed on a receipt, including to display the customer’s full payment card number, not just the last 4 digits as required.

An attack requires access to the targeted network. However, experts pointed out that some systems are exposed to the Internet so remote attacks may be possible. If the PoS system is not connected to the Web, an attacker could plant the malware using a Raspberry Pi device that is connected to the targeted store’s network. ERPScan noted that the internal network can often be accessed from the electronic scales available in stores.

A video published by ERPScan shows a SAP POS attack scenario involving these vulnerabilities:

Some technical details were disclosed by ERPScan researchers in a presentation at the Hack in the Box (HITB) security conference taking place this week in Singapore.

SAP, whose retail solutions are used by 80 percent of the Forbes Global 2000 retailers, was informed about the vulnerabilities in April and released a patch in July as part of its regular security updates. However, the company released another update on August 18 after researchers discovered that the initial fix could be bypassed via a new flaw. The weaknesses were addressed with the release of the 2476601 and 2520064 security notes.

“SAP Product Security Response Team collaborates frequently with research companies like ERPScan to ensure a responsible disclosure of vulnerabilities. All vulnerabilities in question in SAP Point of Sale (POS) Retail Xpress Server have been fixed, and security patches are available for download on the SAP Support Portal. We strongly advise our customers to secure their SAP landscape by applying the available security patches from the SAP Support Portal immediately,” SAP said in a statement to SecurityWeek.

ERPScan researchers pointed out that these types of vulnerabilities are not specific to SAP products. They have also found similar flaws in Oracle’s MICROS system.

“Many POS systems have similar architecture and thus same vulnerabilities,” said ERPScan’s Dmitry Chastuhin, one of the researchers who found the vulnerabilities. “POS terminals used to be plagued with vulnerabilities as myriads of them were found and, unfortunately, exploited, so their security posture has improved significantly. On the other hand, banks must adhere to different compliance standards. So, the connections between POS workstation and the store server turn out to be the weakest link. They lack the basics of cybersecurity - authorization procedures and encryption, and nobody cares about it. So, once an attacker is in the Network, he or she gains full control of the system.”

view counter
Eduard Kovacs is an international correspondent for SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.